Malicious Domains by Lelenina

[lelenina]

Code: [Select]

http://mtravel3biz.com/in.cgi?19=&parameter=porn&mudo=dumd&ID=1&fb=WVRveU9udHpPamc2SW5WelpYSmtZWFJoSWp0aE9qTTZlM002TWpvaWFXUWlPM002TmpvaU9EQXlOakUzSWp0ek9qRXlPaUpoWkhabGNuUnBjMlZmYVdRaU8zTTZOam9pTVRFNE16TTBJanR6T2pRNkltdHdjR2tpTzNNNk16b2lPVGs1SWp0OWN6b3pPaUp0WkRVaU8zTTZNekk2SWpCbU9UZzBaRE13TURrMVlqRm1aRFE0WWpVMFlXSXlNR0kyT1RobFlqUTNJanQ5
Redirects to exploit kit and fake scanner page?

[lelenina]

Code: [Select]

http://www.domainnamereg1.in/retn/qb0pfsg/lgut722.php
Java exploit

[lelenina]

Code: [Select]

http://92.63.107.10/223/tmp/pdfopen.pdf
Pdf exploit

Code: [Select]

http://92.63.107.10/223/tmp/m.vbs
Second part of the exploit

Code: [Select]

http://92.63.107.10/223/l.php?i=14
Trojan.Downloader

[lelenina]

Code: [Select]

http://firstport.in/x/?src=kostes&id=best&o=o&ID=1&fb=WVRveU9udHpPamc2SW5WelpYSmtZWFJoSWp0aE9qTTZlM002TWpvaWFXUWlPM002TmpvaU5qRXhPRGt6SWp0ek9qRXlPaUpoWkhabGNuUnBjMlZmYVdRaU8zTTZOam9pTVRJeE1UUTFJanR6T2pRNkltdHdjR2tpTzNNNk16b2lPVGs1SWp0OWN6b3pPaUp0WkRVaU8zTTZNekk2SW1Zek9UaGlOV0ppWm1abVpUaGpaRGd6WXpRNVpUTmlOalZoWkRObFpUTXlJanQ5
Directs to exploit kit?

[lelenina]

Code: [Select]

http://datadigitalonline.com/video-plugin.45031.exe
Trojan

[lelenina]

Code: [Select]

http://flashdns.in/x/?src=kostes&id=best&o=o&ID=100000
Exploit kit

[lelenina]

Code: [Select]

http://fitrst.ignorelist.com/3/?c=11
Fake scanner page

[lelenina]

Code: [Select]

http://www.domainnamereg2.in/retn/qb0pfsg/mq780ag.php?s=2fe5d89d78da92f1d0f323f8d9b20738&ID=1
Redirects to fake scanner page (same redirection as pivfeels.com)

[SysAdMini]

Code: [Select]

http://www.domainnamereg2.in/retn/qb0pfsg/mq780ag.php?s=2fe5d89d78da92f1d0f323f8d9b20738&ID=1
Redirects to fake scanner page (same redirection as pivfeels.com)

fake scanner page is a side effect only.

It is a Eleonore exploit kit. Fake scanner url is probably called only if exploits are unsuccessful.
Look at function complete(). I have seen such a combinatiion before.

http://wepawet.cs.ucsb.edu/view.php?hash=8a89f74589ce966cf71a08a4d86e567b&t=1279656448&type=js

[lelenina]

Code: [Select]

http://ntscanner.in/new/index.php?ID=1
Exploit kit

[lelenina]

Code: [Select]

http://www.domainnamereg2.in/retn/qb0pfsg/mq780ag.php?s=2fe5d89d78da92f1d0f323f8d9b20738&ID=1
Redirects to fake scanner page (same redirection as pivfeels.com)

fake scanner page is a side effect only.

It is a Eleonore exploit kit. Fake scanner url is probably called only if exploits are unsuccessful.
Look at function complete(). I have seen such a combinatiion before.

http://wepawet.cs.ucsb.edu/view.php?hash=8a89f74589ce966cf71a08a4d86e567b&t=1279656448&type=js

Wepawet really comes in handy when analyzing exploits.  I have that website bookmarked.  Thank you for showing me that.

[lelenina]

Code: [Select]

http://mtravel3biz.com/in.cgi?20&parameter=bank44b&ur=1&HTTP_REFERER=nnned1
Redirects to fake scanner page

Code: [Select]

http://stifast31.info/bv/
Fake scanner page

Code: [Select]

http://bereto8ns.com/zbb/index.php
Exploit kit

Code: [Select]

http://superflashplayer.com/video-plugin.45031.exe
Trojan

Code: [Select]

http://theflashclub.com/New-Video-Addon.48577.exe
Trojan

[lelenina]

Code: [Select]

http://super-fresh-tube.com/xfreeporn.php?id=45309
Fake porn site

Code: [Select]

http://mediafirstsystems.com/video-plugin.45309.exe
Trojan

[lelenina]

Code: [Select]

http://tdsinfo.tk/in.cgi?3=&ID=10000
exploit kit

[lelenina]

Code: [Select]

http://netmediaforum.com/video-plugin.45309.exe
Trojan